Home/ Questions/Q 7883529
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-03T04:33:22+00:00

I have a folder in my site which contains files I don’t want users

  • 0

I have a folder in my site which contains files I don’t want users to browse to via the browser so I put this into my web.config

<location path="documents">
    <system.web>
      <authorization>
        <deny users="*"/>
      </authorization>
    </system.web>
    <system.webServer>
      <directoryBrowse enabled="false" />
    </system.webServer>
  </location>

Problem is that on some pages in my site I have links to these very documents and I DO want users to be able to see those documents when they click on them. The problem is that at present when they click on these links they don’t get the documents. This, I do understand, is a contradictory state of affairs. The only thing in my favour is that when the user clicks on a link he will be logged in. Is there some way this can be solved?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    The way I would do it is with a page that receives as a parameter some ID to the file you’re trying to get (the filename itself is also ok if it’s not a security breach on its own) that checks the user’s credentials and access to the file in code behind, then overwrites the output with the contents of the file (so loaded on the server side).

    This way the client never needs access to the confidential folder at all, all communications go through your web page and through your credentials checking algorithm. Even if they get a valid link from someone and they don’t have access to it, they’ll get a request denied screen (or whatever you choose to code in).

    • 0